BIG-IP Local Traffic Manager : Implementations. Version 11.4

(1)

BIG-IP

®

Local Traffic Manager

™

:

Implementations

Version 11.4

(2)

(3)

Legal Notices...13

Acknowledgments...15

Chapter 1: Configuring a Simple Intranet...19

Overview: A simple intranet configuration...19

Task summary...20

Creating a pool...20

Creating a virtual server...20

Chapter 2: Configuring ISP Load Balancing...23

Overview: ISP load balancing...23

Illustration of ISP load balancing...23

Task summary for ISP load balancing...23

Creating a load balancing pool...24

Creating a virtual server for inbound content server traffic...24

Creating a virtual server for outbound traffic for routers...25

Creating self IP addresses an external VLAN...25

Enabling SNAT automap for internal and external VLANs...26

Chapter 3: Routing Based on XML Content...27

Overview: XML content-based routing...27

Task summary...28

Creating a custom XML profile...28

Writing XPath queries...29

Creating a pool to manage HTTP traffic...29

Creating an iRule...30

Viewing statistics about XML content-based routing...31

Chapter 4: Configuring nPath Routing...33

Overview: Layer 2 nPath routing...33

About Layer 2 nPath routing configuration...34

Guidelines for UDP timeouts...34

Guidelines for TCP timeouts...35

Task summary...35

Creating a custom Fast L4 profile...35

Creating a server pool for nPath routing...35

Creating a virtual server for Layer 2 nPath routing...36

Configuring the virtual address on the server loopback interface...36

Setting the route for inbound traffic...37

3 Table of Contents

(4)

Configuring the Connection.Autolasthop bigdb key...37

Chapter 5: Configuring Layer 3 nPath Routing...39

Overview: Layer 3 nPath routing...39

Configuring Layer 3 nPath routing using tmsh...40

Configuring a Layer 3 nPath monitor using tmsh...40

Layer 3 nPath routing example...41

Chapter 6: Creating a Basic Web Site and E-commerce Configuration...43

Overview: Basic web site and eCommerce configuration...43

Illustration of basic web site and eCommerce configuration...43

Task summary...44

Creating a pool to process HTTP traffic...44

Creating a pool to manage HTTPS traffic...44

Creating a virtual server to manage HTTP traffic...45

Creating a virtual server to manage HTTPS traffic...46

Chapter 7: Installing a BIG-IP System Without Changing the IP Network...47

Overview: Installing a BIG-IP system without changing the IP network...47

Task summary...48

Removing the self IP addresses from the default VLANs...48

Creating a VLAN group...48

Creating a self IP for a VLAN group...49

Creating a pool of web servers...49

Chapter 8: Enabling IP Address Intelligence...51

Overview: Enabling IP address intelligence...51

Enabling IP address intelligence...51

Creating an iRule to log IP address intelligence information...52

Creating an iRule to reject requests with questionable IP addresses...53

Checking the reputation of an IP address...53

Checking the status of the IP intelligence database...54

IP address intelligence categories...54

Chapter 9: Managing Client-side HTTPS Traffic Using a Self-signed Certificate...57

Overview: Managing client-side HTTPS traffic using a self-signed certificate...57

Task summary...57

Creating a self-signed SSL certificate...57

Creating a custom HTTP profile...58

Creating a custom Client SSL profile...58

Creating a virtual server for client-side HTTPS traffic...60 Table of Contents

(5)

Implementation result...60

Chapter 10: Managing Client and Server HTTPS Traffic using a Self-signed Certificate...61

Overview: Managing client and server HTTPS traffic using a self-signed certificate...61

Task summary...61

Creating a self-signed SSL certificate...62

Creating a custom Server SSL profile...63

Creating a pool to manage HTTPS traffic...64

Creating a virtual server for client-side and server-side HTTPS traffic...64

Implementation results...65

Chapter 11: Managing Client-side HTTPS Traffic using a CA-signed Certificate...67

Overview: Managing client-side HTTPS traffic using a CA-signed certificate...67

Task summary...67

Requesting a certificate from a certificate authority...67

Creating a virtual server for client-side HTTPS traffic...70

Chapter 12: Configuring Content Adaptation for HTTP Requests...71

Overview: Configuring HTTP Request Adaptation...71

Task summary...72

Creating a custom client-side ICAP profile...72

Creating a pool of ICAP servers...73

Creating an internal virtual server for forwarding requests to an ICAP server...73

Creating a custom Request Adapt profile...74

Creating an HTTP virtual server for enabling request adaptation...76

Chapter 13: Configuring Content Adaptation for HTTP Requests and Responses...77

Overview: Configuring HTTP Request and Response Adaptation ...77

Task summary...78

Creating a custom client-side ICAP profile...78

Creating a custom server-side ICAP profile...79

Creating a pool of ICAP servers...80

Creating an internal virtual server for forwarding requests to an ICAP server...81

(6)

Creating an internal virtual server for forwarding responses to an ICAP

server...81

Creating a custom Request Adapt profile...82

Creating a custom Response Adapt profile...82

Creating an HTTP virtual server for enabling request and response adaptation...84

Chapter 14: Implementing SSL Forward Proxy on a Single BIG-IP System...87

Overview: SSL forward proxy client and server authentication...87

Task summary...88

Creating a custom Client SSL forward proxy profile...88

Creating a custom Server SSL forward proxy profile...88

Creating a virtual server for client-side and server-side SSL traffic...90

Chapter 15: Implementing Proxy SSL on a Single BIG-IP System...93

Overview: Direct client-server authentication with application optimization...93

Task summary...93

Creating a custom Server SSL profile...94

Creating a virtual server for client-side and server-side SSL traffic...95

Chapter 16: Configuring HTTP Load Balancing with Source Address Affinity Persistence...97

Overview: HTTP load balancing with source affinity persistence...97

Task summary...97

Creating a virtual server for HTTP traffic...98

Chapter 17: Configuring HTTP Load Balancing with Cookie Persistence...99

Overview: HTTP load balancing with cookie persistence...99

Task summary...99

Creating a custom cookie persistence profile...99

Chapter 18: Compressing HTTP Responses...103 Table of Contents

(7)

Overview: Compressing HTTP responses...103

Task summary...103

Creating a customized HTTP compression profile...103

Creating a virtual server for HTTP compression...104

Chapter 19: Managing HTTP Traffic with the SPDY Profile...105

Overview: Managing HTTP traffic with the SPDY profile...105

Task summary for managing HTTP and SPDY traffic...106

Creating an iRule for SPDY requests...107

Creating a virtual server to manage HTTP traffic...107

Creating a SPDY profile...108

Creating a virtual server to manage SPDY traffic...109

Chapter 20: Using Via Headers to Acquire Information About Intermediate Routers...111

Overview: Using Via headers...111

Task summary for identifying intermediate information with Via headers...111

Identifying information about intermediate proxies with Via headers...111

Removing Via headers from requests and responses...112

Chapter 21: Configuring the BIG-IP System as a Reverse Proxy Server...113

Overview: URI translation and HTML content modification...113

About URI translation...113

Rules for matching requests to URI rules...114

About URI Rules...114

Introduction to HTML content modification...115

Task summary...115

Creating a Rewrite profile to specify URI rules...115

Creating an HTML profile for tag removal...116

Creating pools for processing HTTP traffic...117

Creating a local traffic policy...117

Chapter 22: Load Balancing Passive Mode FTP Traffic...121

Overview: FTP passive mode load balancing...121

Task Summary for load balancing passive mode FTP traffic...121

Creating a custom FTP monitor...121

Creating a pool to manage FTP traffic...123

Creating a virtual server for FTP traffic...124

Chapter 23: Load Balancing Passive Mode FTP Traffic with Data Channel Optimization...125

(8)

Overview: FTP passive mode load balancing with data channel optimization...125

Task Summary for load balancing passive mode FTP traffic...125

Creating a custom FTP profile...125

Creating a custom FTP monitor...126

Creating a pool to manage FTP traffic...128

Creating a virtual server for FTP traffic...128

Chapter 24: Referencing an External File from within an iRule...131

Overview: Referencing an external file from an iRule...131

iRule commands for iFiles...132

Task summary...132

Importing a file to the BIG-IP system...132

Creating an iFile...132

Writing an iRule that references an iFile...133

Chapter 25: Configuring the BIG-IP System as a DHCP Relay Agent...135

Overview: Managing IP addresses for DHCP clients...135

About the BIG-IP system as a DHCP relay agent...135

Task summary...136

Creating a pool of DHCP servers...137

Creating a DHCP Relay type virtual server...137

Chapter 26: Configuring the BIG-IP System for DHCP Renewal...139

Overview: Renewing IP addresses for DHCP clients...139

About DHCP renewal ...139

Task summary...140

Creating a DHCP renewal virtual server...140

Chapter 27: Configuring a One-IP Network Topology...143

Overview: Configuring a one-IP network topology...143

Illustration of a one-IP network topology for the BIG-IP system...144

Task summary for a one-IP network topology for the BIG-IP system...144

Creating a pool for processing HTTP connections with SNATs enabled...144

Defining a default route...145

Configuring a client SNAT...146

Chapter 28: Implementing Health and Performance Monitoring...147

Overview: Health and performance monitoring...147 Table of Contents

(9)

Task summary...148

Creating a custom monitor...148

Chapter 29: Preventing TCP Connection Requests From Being Dropped...151

Overview: TCP request queuing...151

Preventing TCP connection requests from being dropped...152

Chapter 30: Setting Connection Limits...153

Overview: About connection limits...153

Limiting connections for a virtual server, pool member, or node...153

Chapter 31: Load Balancing to IPv6 Nodes...155

Overview: Load balancing to iPv6 nodes...155

Task summary...155

Creating a virtual server for IPv6 nodes...156

Chapter 32: Mitigating Denial of Service Attacks...157

Overview: Mitigating Denial of Service and other attacks...157

Denial of Service attacks and iRules...157

iRules for Code Red attacks...157

iRules for Nimda attacks...158

Common Denial of Service attacks...158

Task summary...160

Configuring adaptive reaping...161

Setting the TCP and UDP connection timers...161

Applying a rate class to a virtual server...161

Calculating connection limits on the main virtual server...162

Setting connection limits on the main virtual server...162

Adjusting the SYN Check threshold...162

Chapter 33: Configuring Remote CRLDP Authentication...165

Overview of remote authentication for application traffic...165

Task Summary...165

Creating a CRLDP configuration object for authenticating application traffic remotely...166

Creating a custom CRLDP profile...166

Modifying a virtual server for CRLDP authentication...167

Chapter 34: Configuring Remote LDAP Authentication...169

(10)

Overview of remote LDAP authentication for application traffic...169

Task Summary...169

Creating an LDAP configuration object for authenticating application traffic remotely...170

Creating a custom LDAP profile...170

Modifying a virtual server for LDAP authentication...170

Chapter 35: Configuring Remote RADIUS Authentication...173

Task summary for RADIUS authentication of application traffic...173

Creating a RADIUS server object for authenticating application traffic remotely...174

Creating a RADIUS configuration object for authenticating application traffic remotely...174

Creating a custom RADIUS profile...174

Modifying a virtual server for RADIUS authentication...175

Chapter 36: Configuring Remote SSL LDAP Authentication...177

Overview of remote SSL LDAP authentication for application traffic...177

Task Summary...177

Creating an LDAP Client Certificate SSL configuration object...178

Creating a custom SSL Client Certificate LDAP profile...178

Modifying a virtual server for SSL Client Certificate LDAP authorization...179

Chapter 37: Configuring Remote SSL OCSP Authentication...181

Task Summary...181

Creating an SSL OSCP responder object for authenticating application traffic remotely...182

Creating an SSL OCSP configuration object for authenticating application traffic remotely...182

Creating a custom SSL OCSP profile...182

Modifying a virtual server for SSL OCSP authentication...183

Chapter 38: Configuring Remote TACACS+ Authentication...185

Task Summary...185

Creating a TACACS+ configuration object...186

Creating a custom TACACS+ profile...186

Modifying a virtual server for TACACS+ authentication...187

Chapter 39: Configuring Kerberos Delegation...189

Overview of remote authentication for application traffic...189 Table of Contents

(11)

Task Summary...189

Creating a Kerberos Delegation configuration object...189

Creating a Kerberos delegation profile object from the command line...190

Creating a virtual server with Kerberos delegation and Client SSL profiles...191

Chapter 40: Load Balancing Diameter Application Requests...193

Overview: Diameter load balancing...193

Task summary...193

Creating a custom Diameter profile...193

Creating a custom Diameter monitor...194

Creating a pool to manage Diameter traffic...194

Creating a virtual server to manage Diameter traffic...194

Chapter 41: Implementing Low-Latency Electronic Trading Functionality...197

Overview: Configuring the BIG-IP system for low-latency electronic trading...197

Task summary...197

Implementing low-latency electronic trading functionality...198

Creating a custom Fast L4 profile...198

Creating a pool ...198

Creating a virtual server for low-latency electronic trading...199

(12)

(13)

Legal Notices

Publication Date

This document was published on May 24, 2016. Publication Number

MAN-0293-08 Copyright

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing, AFM, Alive With F5, APM, Application Acceleration Manager, Application Security Manager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, Clustered Multiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5, F5 [DESIGN], F5 Certified [DESIGN], F5 Networks, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, GUARDIAN, iApps, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, LineRate, LineRate Systems [DESIGN], LROS, Message Security Manager, MSM, OneConnect, Packet Velocity, PEM, Policy Enforcement Manager, Protocol Security Manager, PSM, Real Traffic Policy Builder, ScaleN, Signalling Delivery Controller, SDC, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, Traffix Systems, Traffix Systems (DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vCMP, VE F5 [DESIGN], Virtual Clustered Multiprocessing, WA, WAN Optimization Manager, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners. Patents

This product may be protected by one or more patents indicated at:

http://www.f5.com/about/guidelines-policies/patents

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

(14)

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

(15)

Acknowledgments

This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected under the GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected under the GNU Public License.

(16)

In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General Public License (©_{1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.}

This product includes the standard version of Perl software licensed under the Perl Artistic License (©_1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/). This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation.

This product includes Intel QuickAssist kernel module, library, and headers software licensed under the GNU General Public License (GPL).

This product includes software licensed from Gerald Combs ([email protected]) under the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or any later version. Copyright©_{1998 Gerald Combs.}

Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you

1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries,

(17)

2. add special version identification to distinguish your version in addition to the base release version number,

3. provide your name and address as the primary contact for the support of your modified version, and 4. retain our contact information in regard to use of the base software.

Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This software is provided "as is" without express or implied warranty to the extent permitted by applicable law.

This product includes software developed by Brian Gladman, Worcester, UK Copyright©_{1998-2010. All} rights reserved. The redistribution and use of this software (with or without changes) is allowed without the payment of fees or royalties provided that:

• source code distributions include the above copyright notice, this list of conditions and the following disclaimer;

• binary distributions include the above copyright notice, this list of conditions and the following disclaimer in their documentation.

This software is provided 'as is' with no explicit or implied warranties in respect of its operation, including, but not limited to, correctness and fitness for purpose.

This product includes software developed by the Computer Systems Engineering Group at Lawrence Berkeley Laboratory. Copyright©_{1990-1994 Regents of the University of California. All rights reserved.} Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following

acknowledgment: This product includes software developed by the Computer Systems Engineering Group at Lawrence Berkeley Laboratory.

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software developed by Sony Computer Science Laboratories Inc. Copyright© 1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

17 BIG-IP®_{Local Traffic Manager}™_{: Implementations}

(18)

THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This product includes software developed by Ian Gulliver©_{2006, which is protected under the GNU General} Public License, as published by the Free Software Foundation.

(19)

Chapter

1

Configuring a Simple Intranet

• Overview: A simple intranet configuration

• Task summary

Overview: A simple intranet configuration

The simple intranet implementation is commonly found in a corporate intranet (see the following illustration). In this implementation, the BIG-IP®system performs load balancing for several different types of connection requests:

• HTTP connections to the company's intranet web site. The BIG-IP system load balances the two web servers that host the corporate intranet web site,Corporate.main.net.

• HTTP connections to Internet content. These are handled through a pair of cache servers that are also load balanced by the BIG-IP system.

• Non-HTTP connections to the Internet.

Figure 1: Non-intranet connections

As the illustration shows, the non-intranet connections are handled by wildcard virtual servers; that is, servers with the IP address0.0.0.0. The wildcard virtual server that is handling traffic to the cache servers is port specific, specifying port80for HTTP requests. As a result, all HTTP requests not matching an IP address on the intranet are directed to the cache server. The wildcard virtual server handling non-HTTP requests is a default wildcard server. A default wildcard virtual server is one that uses only port0. This

(20)

makes it a catch-all match for outgoing traffic that does not match any standard virtual server or any port-specific wildcard virtual server.

Task summary

To create this configuration, you need to complete these tasks. Task list

Creating a pool

You can a create pool of servers that you group together to receive and process traffic, to efficiently distribute the load on your server resources.

1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.

2. Click Create.

The New Pool screen opens.

3. In the Name field, type a unique name for the pool.

4. In the Resources area of the screen, use the New Members setting to add the pool members. For example, in the illustration, the pool members for http_pool are 192.168.100.10:80 and192.168.100.11:80. The pool members for specificport_pool are 192.168.100.20:80 and 192.168.100.21:80.

5. Click Finished.

The load balancing pool appears in the Pools list.

Creating a virtual server

This task creates a destination IP address for application traffic. As part of this task, you must assign the relevant pool to the virtual server.

1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.

2. Click the Create button.

The New Virtual Server screen opens.

3. In the Name field, type a unique name for the virtual server.

4. In the Destination field, verify that the type of virtual server is Host, and in the Address field, type an IP address for the virtual server.

For example, you can assign the IP address192.168.200.30:80to the virtual server that processes HTTP traffic. For load balancing connections to cache servers, you can assign the address0.0.0.0:80

to the virtual server, making it a wildcard virtual server. To create a forwarding virtual server, you can assign the address0.0.0.0:0.

5. In the Service Port field, type80, or select HTTP from the list.

6. In the Configuration area of the screen, locate the Type setting and select either Standard or Forwarding (IP).

7. From the HTTP Profile list, select an HTTP profile. Configuring a Simple Intranet

(21)

8. In the Resources area of the screen, from the Default Pool list, select a pool name. 9. Click Finished.

You now have a virtual server to use as a destination address for application traffic.

(22)

(23)

Chapter

2

Configuring ISP Load Balancing

• Overview: ISP load balancing

• Task summary for ISP load balancing

Overview: ISP load balancing

You might find that as your network grows, or network traffic increases, you require an additional connection to the Internet. You can use this configuration to add an Internet connection to your existing network. The following illustration shows a network configured with two Internet connections.

Illustration of ISP load balancing

Figure 2: ISP load balancing

Task summary for ISP load balancing

(24)

Task list

Creating a load balancing pool

You can a create load balancing pool, which is a logical set of devices, such as web servers, that you group together to receive and process traffic, to efficiently distribute the load on your resources. Using this procedure, create one pool that load balances the content servers, and one pool to load balance the routers. 1. On the Main tab, click Local Traffic > Pools.

The Pool List screen opens. 2. Click Create.

4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.

Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.

The default is Round Robin.

6. For the Priority Group Activation setting, specify how to handle priority groups: • Select Disabled to disable priority groups. This is the default option.

• Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group. 7. Using the New Members setting, add each resource that you want to include in the pool:

a) Type an IP address in the Address field.

b) Type a port number in the Service Port field, or select a service name from the list. c) To specify a priority group, type a priority number in the Priority Group Activation field. d) Click Add.

8. Click Repeat and create another pool. 9. Click Finished.

The load balancing pools appear in the Pools list.

Creating a virtual server for inbound content server traffic

You must create a virtual server to load balance inbound connections. The default pool that you assign as a resource in this procedure is the pool of internal servers.

4. For the Destination setting, in the Address field, type the IP address you want to use for the virtual server.

(25)

The IP address you type must be available and not in the loopback network.

5. In the Service Port field, type a port number or select a service name from the Service Port list. 6. If the traffic to be load balanced is of a certain type, select the profile type that matches the connection

type.

To load balance HTTP traffic, locate the HTTP Profile setting and select http. 7. In the Resources area of the screen, from the Default Pool list, select a pool name. 8. Click Finished.

The virtual server is configured to load balance inbound connections to the servers.

Creating a virtual server for outbound traffic for routers

You must create a virtual server to load balance outbound connections. The default pool that you assign as a resource in this procedure is the pool of routers.

The IP address you type must be available and not in the loopback network. 5. In the Resources area of the screen, from the Default Pool list, select a pool name. 6. Click Finished.

The virtual server is configured to load balance outbound connections to the routers.

Creating self IP addresses an external VLAN

You must assign two self IP addresses to the external VLAN. 1. On the Main tab, click Network > Self IPs.

The Self IPs screen opens. 2. Click Create.

The New Self IP screen opens.

3. In the IP Address field, type an IP address.

This IP address should represent the network of the router. The system accepts IPv4 and IPv6 addresses.

4. In the Netmask field, type the network mask for the specified IP address. 5. Select External from the VLAN list.

6. Click Repeat.

7. In the IP Address field, type an IPv4 or IPv6 address.

This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.

(26)

The screen refreshes, and displays the new self IP address in the list. The self IP address is assigned to the external VLAN.

Enabling SNAT automap for internal and external VLANs

You can configure SNAT automapping on the BIG-IP system for internal and external VLANs. 1. On the Main tab, click Local Traffic > Address Translation.

The SNAT List screen displays a list of existing SNATs. 2. Click Create.

3. Name the new SNAT.

4. From the Translation list, select Automap.

5. For the VLAN / Tunnel List setting, in the Available field, select external and external, and using the Move button, move the VLANs to the Selected field.

SNAT automapping on the BIG-IP system is configured for internal and external VLANs. Configuring ISP Load Balancing

(27)

Chapter

3

Routing Based on XML Content

• Overview: XML content-based routing

• Task summary

Overview: XML content-based routing

You can use the BIG-IP®system to perform XML content-based routing whereby the system routes requests to an appropriate pool, pool member, or virtual server based on specific content in an XML document. For example, if your company transfers information in XML format, you could use this feature to examine the XML content with the intent to route the information to the appropriate department.

You configure content-based routing by creating an XML profile and associating it with a virtual server. In the XML profile, define the matching content to look for in the XML document. Next, specify how to route the traffic to a pool by writing simple iRules®. When the system discovers a match, it triggers an iRule event, and then you can configure the system to route traffic to a virtual server, a pool, or a node. You can allow multiple query matches, if needed.

This example shows a simple XML document that the system could use to perform content-based routing. It includes an element calledFinanceObjectused in this implementation.

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:eai="http://192.168.149.250/eai_enu/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"> <soapenv:Header/> <soapenv:Body> <eai:SiebelEmployeeDelete soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<FinanceObject xsi:type="xsd:string">Route to Financing</FinanceObject> <SiebelMessage xsi:type="ns:ListOfEmployeeInterfaceTopElmt" xmlns:ns="http://www.siebel.com/xml"> <ListOfEmployeeInterface xsi:type="ns:ListOfEmployeeInterface"> <SecretKey>123456789</SecretKey> <Employee>John</Employee> <Title>CEO</Title> </ListOfEmployeeInterface> </SiebelMessage> </eai:SiebelEmployeeDelete> </soapenv:Body> </soapenv:Envelope>

(28)

Task summary

You can perform tasks to enable XML content-based routing whereby the system routes requests to an appropriate pool, pool member, or virtual server based on specific content in an XML document. Task list

Creating a custom XML profile

To implement content-based routing, you first need to create an XML profile. XML profiles specify the content to look for in XML documents. In the XML profile, you define XPath queries to locate items in an XML document.

1. On the Main tab, click Local Traffic > Profiles > Services > XML. The XML screen opens.

The New XML screen opens.

3. In the Name field, type a unique name for the XML profile, such ascbr_xml_profile. 4. In the Settings area, select the Custom check box at right.

The settings become available.

5. If you want to reference XML elements with namespaces in XPath queries, from Namespace Mappings, select Specify.

The screen displays the Namespace Mappings List settings.

6. Add namespaces to the list to specify how to map XML namespaces (as defined by thexmlns attribute)

for the system to use when routing XML traffic to the correct pool, pool member, or virtual server: a) In the Prefix field, type the namespace prefix.

b) In the Namespace field, type the URL that the prefix maps to. c) Click Add to add the namespace to the Namespace Mappings List.

7. To define the matching criteria in the XML document, from XPath Queries, select Specify. The screen displays the XPath Queries settings.

8. Add XPath queries to the list to define matching criteria in XML payloads so the system can route the traffic to the correct pool, pool member, or virtual server:

a) In the XPath field, type an XPath expression.

For example, to look for an element calledFinanceObject, type//FinanceObject.

b) Click Add to add the XPath expression to the XPath Queries list. You can define up to three XPath queries.

The expression is added to the list.

9. To allow each query to have multiple matches, select Multiple Query Matches. 10.Click Finished.

The system creates an XML profile.

You can use the XML profile to route XML traffic. Note that XML profiles do not support use of the Expect header field. This is because the header of a transaction could direct it to one pool, and the payload could invoke an iRule to direct the transaction to a different pool.

(29)

Writing XPath queries

You can write up to three XPath queries to define the content that you are looking for in XML documents. When writing XPath queries, you use a subset of the XPath syntax described in the XML Path Language (XPath) standard athttp://www.w3.org/TR/xpath.

These are the rules for writing XPath queries for XML content-based routing. 1. Express the queries in abbreviated form.

2. Map all prefixes to namespaces. 3. Use only ASCII characters in queries.

4. Write queries to match elements and attributes.

5. Use wildcards as needed for elements and namespaces; for example,//emp:employee/*. 6. Do not use predicates in queries.

Syntax for XPath expressions

This table shows the syntax to use for XPath expressions.

Description Expression

Selects all child nodes of the named node. Nodename

Selects all attribute nodes of the named node. @Attname

Indicates XPath step. /

Selects nodes that match the selection no matter where they are in the document.

//

XPath query examples

This table shows examples of XPath queries. Description

Query

Selects the root elementa.

/a

Selects allbelements wherever they appear in the document.

//b

Selects any element in a namespace bound to prefixb, which is a child of the root elementa.

/a/b:*

Selects elements in the namespace of elementc, which is bound to prefixb, and is a child of elementa.

//a/b:c

Creating a pool to manage HTTP traffic

For implementing content-based routing, you can create one or more pools that contain the servers where you want the system to send the traffic. You write an iRule to route the traffic to the pool.

If you want to specify a default pool to which to send traffic when it does not match the content you are looking for, repeat the procedure to create a second pool. You specify the default pool in the virtual server. Alternatively, you can create a node or a virtual server to route traffic to instead of creating a pool.

(30)

1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.

3. In the Name field, type a name for the pool, such asfinance_pool.

4. For the Health Monitors setting, from the Available list, select the http monitor, and click << to move the monitor to the Active list.

5. From the Load Balancing Method list, select how the system distributes traffic to members of this pool.

The default is Round Robin.

6. For the Priority Group Activation setting, specify how to handle priority groups: • Select Disabled to disable priority groups. This is the default option.

• Select Less than, and in the Available Members field type the minimum number of members that must remain available in each priority group in order for traffic to remain confined to that group. 7. Using the New Members setting, add each resource that you want to include in the pool:

a) Type an IP address in the Address field.

b) Type80in the Service Port field, or select HTTP from the list. c) (Optional) Type a priority number in the Priority field.

d) Click Add. 8. Click Finished.

The new pool appears in the Pools list.

Creating an iRule

You create iRules®to automate traffic forwarding for XML content-based routing. When a match occurs, an iRule event is triggered, and the iRule directs the individual request to a pool, a node, or virtual server. This implementation targets a pool.

1. On the Main tab, click Local Traffic > iRules. 2. Click Create.

3. In the Name field, type a 1- to 31-character name, such asXML_CBR_iRule.

4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax. For complete and detailed information iRules syntax, see the F5 Networks DevCentral web site

http://devcentral.f5.com. 5. Click Finished.

Examples of iRules for XML content-based routing

This example shows an iRule that queries for an element calledFinanceObjectin XML content and if a match is found, an iRule event is triggered. The system populates the values of the Tcl variables

($XML_count,$XML_queries, and$XML_values). Then the system routes traffic to a pool called

finance_pool.

when XML_CONTENT_BASED_ROUTING {

(31)

for {set i 0} { $i < $XML_count } {incr i} { log local0. $XML_queries($i)

log local0. $XML_values($i)

if {($XML_queries($i) contains "FinanceObject")} { pool finance_pool

} } }

This is another example of XML content-based routing. It shows routing by bank name and by price.

when XML_CONTENT_BASED_ROUTING {

for {set i 0} { $i < $XML_count } {incr i} { # routing by BANK_NAME

if {($XML_queries($i) contains "BANK_NAME")} {

if {($XML_values($i) contains "InternationalBank")} { pool pool1

} elseif {($XML_values($i) contains "Hapoalim")} { pool pool2 } else { pool pool3 } } # routing by PRICE

if {($XML_queries($i) contains "PRICE")} { if {($XML_values($i) > 50)} { pool pool1 } else { pool pool2 } } # end for } }

Note: TheXML_CONTENT_BASED_ROUTINGevent does not trigger when the client's headers contain

"Expect: 100-continue"regardless of whether the server sends a 100-continue response. In this case, the request is routed to the default pool.

Tcl variables in iRules for XML routing

This table lists and describes the Tcl variables in the sample iRule. Description Tcl variable

Shows the number of matching queries.

$XML_count

Contains an array of the matching query names.

$XML_queries

Holds the values of the matching elements.

$XML_values

Viewing statistics about XML content-based routing

You can view statistics about XML content-based routing to make sure that the routing is working.

(32)

Note: The system first checks for a match, then checks for malformedness of XML content. So if the system detects a match, it stops checking, and might not detect any subsequent parts of the document that are malformed.

1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens.

2. From the Statistics Type list, select Profiles Summary.

3. In the Global Profile Statistics area, for the Profile Type XML, click View in the Details.

The system displays information about the number of XML documents that were inspected, the number of documents that had zero to three matches, and the number of XML documents that were found to be malformed.

(33)

Chapter

4

Configuring nPath Routing

• Overview: Layer 2 nPath routing

• About Layer 2 nPath routing configuration

• Guidelines for UDP timeouts

• Guidelines for TCP timeouts

• Task summary

Overview: Layer 2 nPath routing

With the Layer 2 nPath routing configuration, you can route outgoing server traffic around the BIG-IP® system directly to an outbound router. This method of traffic management increases outbound throughput because packets do not need to be transmitted to the BIG-IP system for translation and then forwarded to the next hop.

(34)

Note: The type of virtual server that processes the incoming traffic must be a transparent, non-translating type of virtual server.

In bypassing the BIG-IP system on the return path, Layer 2 nPath routing departs significantly from a typical load-balancing configuration. In a typical load-balancing configuration, the destination address of the incoming packet is translated from that of the virtual server to that of the server being load balanced to, which then becomes the source address of the returning packet. A default route set to the BIG-IP system then sees to it that packets returning to the originating client return through the BIG-IP system, which translates the source address back to that of the virtual server.

Note: Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic features do not work properly if Layer 7 traffic bypasses the BIG-IP system on the return path.

About Layer 2 nPath routing configuration

The Layer 2 nPath routing configuration differs from the typical BIG-IP®load balancing configuration in the following ways:

• The default route on the content servers must be set to the router's internal address (10.1.1.1 in the illustration) rather than to the BIG-IP system's floating self IP address (10.1.1.10). This causes the return packet to bypass the BIG-IP system.

• If you plan to use an nPath configuration for TCP traffic, you must create a Fast L4 profile with the following custom settings:

• Enable the Loose Close setting. When you enable this setting, the TCP protocol flow expires more quickly, after a TCP FIN packet is seen. (A FIN packet indicates the tearing down of a previous connection.)

• Set the TCP Close Timeout setting to the same value as the profile idle timeout if you expect half closes. If not, you can set this value to 5 seconds.

• Because address translation and port translation have been disabled, when the incoming packet arrives at the pool member it is load balanced to the virtual server address (176.16.1.1 in the illustration), not to the address of the server. For the server to respond to that address, that address must be configured on the loopback interface of the server and configured for use with the server software.

Guidelines for UDP timeouts

When you configure nPath for UDP traffic, the BIG-IP®system tracks packets sent between the same source and destination address to the same destination port as a connection. This is necessary to ensure the client requests that are part of a session always go to the same server. Therefore, a UDP connection is really a form of persistence, because UDP is a connectionless protocol.

To calculate the timeout for UDP, estimate the maximum amount of time that a server transmits UDP packets before a packet is sent by the client. In some cases, the server might transmit hundreds of packets over several minutes before ending the session or waiting for a client response.

(35)

Guidelines for TCP timeouts

When you configure nPath for TCP traffic, the BIG-IP®system recognizes only the client side of the connection. For example, in the TCP three-way handshake, the BIG-IP system sees the SYN from the client to the server, and does not see the SYN acknowledgment from the server to the client, but does see the acknowledgment of the acknowledgment from the client to the server. The timeout for the connection should match the combined TCP retransmission timeout (RTO) of the client and the node as closely as possible to ensure that all connections are successful.

The maximum initial RTO observed on most UNIX and Windows®systems is approximately 25 seconds. Therefore, a timeout of 51 seconds should adequately cover the worst case. When a TCP session is established, an adaptive timeout is used. In most cases, this results in a faster timeout on the client and node. Only in the event that your clients are on slow, lossy networks would you ever require a higher TCP timeout for established connections.

Task summary

There are several tasks you perform to create a Layer 2 nPath routing configuration. Task list

Creating a custom Fast L4 profile

You can create a custom Fast L4 profile to manage Layer 4 traffic more efficiently. 1. On the Main tab, click Local Traffic > Profiles > Protocol > Fast L4.

The Fast L4 screen opens. 2. Click Create.

The New Fast L4 profile screen opens.

3. In the Name field, type a unique name for the profile. 4. Select the Custom check box.

5. Select the Loose Close check box.

6. Set the TCP Close Timeout setting, according to the type of traffic that the virtual server will process. 7. Click Finished.

The custom Fast L4 profile appears in the list of Fast L4 profiles.

Creating a server pool for nPath routing

After you create a custom Fast L4 profile, you need to create a server pool. 1. On the Main tab, click Local Traffic > Pools.

The Pool List screen opens. 2. Click Create.

(36)

4. For the Health Monitors setting, in the Available list, select a monitor type, and click << to move the monitor to the Active list.

Tip: Hold the Shift or Ctrl key to select more than one monitor at a time.

5. Using the New Members setting, add each resource that you want to include in the pool: a) Type an IP address in the Address field.

b) Type a port number in the Service Port field, or select a service name from the list. c) To specify a priority group, type a priority number in the Priority Group Activation field. d) Click Add.

Creating a virtual server for Layer 2 nPath routing

After you create a server pool, you need to create a virtual server that references the profile and pool you created.

The IP address you type must be available and not in the loopback network. 5. From the Configuration list, select Advanced.

6. From the Type list, select Performance (Layer 4). 7. From the Protocol list, select one of the following:

• UDP

• TCP

• * All Protocols

8. From the Protocol Profile (Client) list, select a predefined or user-defined Fast L4 profile. 9. For the Address Translation setting, clear the Enabled check box.

10.For the Port Translation setting, clear the Enabled check box.

11.In the Resources area of the screen, from the Default Pool list, select a pool name. 12.Click Finished.

Configuring the virtual address on the server loopback interface

You must place the IP address of the virtual server (176.16.1.1 in the illustration) on the loopback interface of each server. Most UNIX variants have a loopback interface named lo0. Consult your server operating system documentation for information about configuring an IP address on the loopback interface. The loopback interface is ideal for the nPath configuration because it does not participate in the ARP protocol. Configuring nPath Routing

(37)

Setting the route for inbound traffic

For inbound traffic, you must define a route through the BIG-IP®system self IP address to the virtual server. In the example, this route is 176.16.1.1, with the external self IP address 10.1.1.10 as the gateway.

Note: You need to set this route only if the virtual server is on a different subnet than the router.

For information about how to define this route, please refer to the documentation provided with your router.

Configuring the Connection.Autolasthop bigdb key

To ensure that nPath routing works correctly, you must verify that the bigdb configuration key

connection.autolasthop is set to enable. This is relevant for both IPv4 and IPv6 addressing formats. To verify that this bigdb key is enabled, type this command at thetmshprompt:

modify sys db Connection.Autolasthop value enable

(38)

(39)

Chapter

5

Configuring Layer 3 nPath Routing

• Overview: Layer 3 nPath routing

• Configuring Layer 3 nPath routing using tmsh

• Configuring a Layer 3 nPath monitor using tmsh

• Layer 3 nPath routing example

Overview: Layer 3 nPath routing

Using Layer 3 nPath routing, you can load balance traffic over a routed topology in your data center. In this deployment, the server sends its responses directly back to the client, even when the servers, and any intermediate routers, are on different networks. This routing method uses IP encapsulation to create a uni-directional outbound tunnel from the server pool to the server.

You can also override the encapsulation for a specified pool member, and either remove that pool member from any encapsulation or specify a different encapsulation protocol. The available encapsulation protocols are IPIP and GRE.

Figure 4: Example of a Layer 3 routing configuration

This illustration shows the path of a packet in a deployment that uses Layer 3 nPath routing through a tunnel. 1. The client sends traffic to a Fast L4 virtual server.

(40)

3. The server removes the encapsulation header and returns the packet to the network.

4. The target application receives the original packet, processes it, and responds directly to the client.

Configuring Layer 3 nPath routing using tmsh

Before performing this procedure, determine the IP address of the loopback interface for each server in the server pool.

Use Layer 3 nPath routing to provide direct server return for traffic in a routed topology in your data center. 1. On the BIG-IP®system, start a console session.

2. Create a server pool with an encapsulation profile.

tmsh create ltm pool npath_ipip_pool profiles add

{ ipip } members add { 10.7.1.7:any 10.7.1.8:any 10.7.1.9:any }

This command creates the poolnpath_ipip_pool, which has three members that specify all services:

10.7.1.7:any,10.7.1.8:any, and10.7.1.9:any, and applies IPIP encapsulation to outbound traffic.

3. Create a profile that disables hardware acceleration.

tmsh create ltm profile fastl4 fastl4_npath pva-acceleration none

This command disables the Packet Velocity®ASIC acceleration mode in the new Fast L4 profile named

fastl4_npath.

4. Create a virtual server that has address translation disabled, and includes the pool with the encapsulation profile.

tmsh create ltm virtual npath_udp destination 176.16.1.1:any

pool npath_ipip_pool profiles add { fastl4_npath } translate-address disabled ip-protocol udp

This command creates a virtual server namednpath_udpthat intercepts all UDP traffic, does not use address translation, and does not use hardware acceleration. The destination address176.16.1.1

matches the IP address of the loopback interface on each server.

These implementation steps configure only the BIG-IP device in a deployment example. To configure other devices in your network for L3 nPath routing, consult the device manufacturer's documentation for setting up direct server return (DSR) for each device.

Configuring a Layer 3 nPath monitor using tmsh

Before you begin this task, configure a server pool with an encapsulation profile, such asnpath_ipip_pool. You can create a custom monitor to provide server health checks of encapsulated tunnel traffic. Setting a variable in thedbcomponent causes the monitor traffic to be encapsulated.

1. Start at the Traffic Management Shell (tmsh).

2. Create a transparent health monitor with the destination IP address of the virtual server that includes the pool with the encapsulation profile.

(41)

tmsh create ltm monitor udp npath_udp_monitor transparent enabled destination 176.16.1.1:*

This command creates a transparent monitor for UDP traffic with the destination IP address 176.16.1.1, and the port supplied by the pool member.

3. Associate the health monitor with the pool that has the encapsulation profile.

tmsh modify pool npath_ipip_pool monitor npath_udp_monitor

This command specifies that the BIG-IP®system monitors UDP traffic to the poolnpath_ipip_pool.

4. Enable the variable in thedbcomponent that causes the monitor traffic to be encapsulated.

tmsh modify sys db tm.monitorencap value enable

This command specifies that the monitor traffic is encapsulated.

Layer 3 nPath routing example

The following illustration shows one example of an L3 nPath routing configuration in a network.

Figure 5: Example of a Layer 3 routing configuration

The following examples show the configuration code that supports the illustration. Client configuration:

# ifconfig eth0 inet 10.102.45.10 netmask 255.255.255.0 up # route add –net 10.0.0.0 netmask 255.0.0.0 gw 10.102.45.1

BIG-IP®device configuration:

# - create node pointing to server's ethernet address # ltm node 10.102.4.10 {

# address 10.102.4.10 # }

# - create transparent monitor # ltm monitor tcp t.ipip { # defaults-from tcp

# destination 10.102.3.202:http